The territorial scope of privacy and data protection can be fundamental. When does one jurisdiction’s legal reach extend to the actions of organisations beyond its geographical borders?  

Late last year, the European Data Protection Board (EDPD) published its final guidance on the territorial scope of the European Union’s General Data Protection Regulation (GDPR). If you haven’t been sleeping, you’ll be aware the GDPR is the landmark privacy upgrade that applies to citizens of all European Union countries. It aims primarily to give individuals control over their personal information. One consequence of this is that organisations and businesses outside Europe now need to comply with the GDPR if they handle the personal information of European citizens.

The GDPR came into effect in May 2018 and the rest of the world has had to take notice, if it continues to trade with the European Union and process the personal information of EU citizens.

GDPR Article 3

The guidance from the EDPB on the territorial scope traverses Article 3 of the GDPR. This article reflects the EU’s intention to ensure comprehensive protection of the privacy rights of EU citizens within the EU, and when data is sent outside the EU.

Article 3(1) affirms that the GDPR applies to the activities of data processors and controllers relating to an establishment in the EU, but regardless of where the data processing actually takes place.

The EDPB recommends that non-EU organisations undertake an assessment of their processing activities, firstly by determining whether personal data is being processed, and secondly by identifying potential links between the activity for which the data is being processed and their activities in the EU.

Even if there is no EU establishment, Article 3(2) (“targeting”) says the GDPR applies to non-EU controllers or processors in two situations – those that offer goods or services to individuals in the EU and those who monitor the behaviour of individuals in the EU.

The EDPB recommends a twofold approach to targeting – firstly, whether the organisation is processing the personal data of data subjects who are in the EU, and secondly, whether the processing relates to offering goods or services or monitoring data subjects’ behaviour in the EU, including behavioural advertising and online tracking. Note that data controllers or processors subject to the GDPR on this basis are required to appoint a representative in the EU, and the EDPB has included guidance about this requirement.

If you want to know more about whether your organisation is affected, these FAQs may be helpful.